A security management approach focused solely on engineering fails primarily because of the “intelligent” or adaptable attacker. For example, if security were pure engineering, it would be like building a bridge or getting an airplane in the air. In these cases, the forces that are applied to the infrastructure do not adapt or change tactics to cause failure. At worst, in engineering against nature we only have a difficult time adapting to forces unforeseen due to a combination of factors.

But InfoSec has to deal with the behaviors of attackers. Their sentience includes creativity and adaptability. The wind does not act to deceive. Gravity and rust do not go “low and slow” to evade detection. Rain does not customize its raindrops to bypass umbrellas. But sentient attackers do change to evade defenses and reach their goal.

Important Links

Dr.InfoSec

Connect with me

About Me

Chris, aka Dr.InfoSec, is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people.Whether performing information security risk assessments, working alongside CIOs & CISOs to set and communicate strategic security priorities, or advising board members on effective governance of cyber risks, Chris enjoys working with business leaders to improve their organization's cyber risk posture.

Disclaimer

The views and opinions expressed here are those of Dr. Veltsos only and in no way represent the views, positions, or opinions of any previous, current, or future employers, clients, or associates.

All content on this blog is provided as general information and is for educational purposes only. It should not be construed as professional advice or guidance. All trademarks and copyrights on this blog belong to their respective owners.